Date: Wed, 24 Oct 2007 14:01:25 -0700 (PDT) From: dssampson@yahoo.com To: Olli Hauer <ohauer@gmx.de> Cc: freebsd-pf@freebsd.org Subject: Re: spamd nonfunctioning due to power outage in SD Message-ID: <101025.43337.qm@web35812.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
> dssampson@yahoo.com wrote:=0A> > I had a power outage to our building due=
to the fires in San=0A> Diego=0A> =0A and it crashed those without UPSes. =
One of them is the spamd=0A> machine.=0A> =0A I've brought it back up and r=
an fsck on all volumes. However, mail=0A> will=0A> =0A not come into our ma=
ilboxes from outside but mail can be delivered=0A> to=0A> =0A outside recip=
ients. I can telnet into the spamd machine and send=0A> mail=0A> =0A extern=
ally and internally. Postfix seems to be ok. When I stop pf,=0A> mail=0A> =
=0A from the outside of our LAN come pouring in. When I start up pf,=0A> in=
bound=0A> =0A mail comes to a stop. In the spamd log, I see all kinds of=0A=
> connections=0A> =0A being blacklisted and greylisted but still not one ma=
il is=0A> being=0A> =0A delivered. I am using spamd-mywhite as my whitelist=
and put all known GMail=0A> IP=0A> =0A addresses on it. I then send an ema=
il from my GMail account to=0A> this=0A> =0A machine. It gets greylisted an=
d eventually sits in the greylist for=0A> quite=0A> =0A a while. I also see=
ports 25 open on both external and internal=0A> NICs=0A> =0A and port 8025=
open on the localhost interface.=0A> > =0A> > I need assistance in trouble=
shooting this. Running spamd 4.1.2=0A> on=0A> =0A FreeBSD 6.2. We average 8=
00 valid mail per day and so far in the last=0A> 24=0A> =0A hours, not one =
mail has come through using the existing=0A> spamd=0A> =0A configuration.=
=0A> > =0A> > mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf=0A> > ex=
t_if =3D "rl0"=0A> > int_if =3D "xl0"=0A> > internal_net =3D "192.168.1.1/2=
4"=0A> > external_addr =3D "216.70.250.4"=0A> > vpn_net =3D "10.8.0.0/24"=
=0A> > icmp_types =3D "echoreq"=0A> > NoRouteIPs =3D "{ 127.0.0.0/8 192.168=
.0.0/16 172.16.0.0/12=0A> 10.0.0.0/8=0A> =0A }"=0A> > webserver1 =3D "192.1=
68.1.4"=0A> > set skip on { lo0 }=0A> > set skip on { gif0 }=0A> > @0 scrub=
in all fragment reassemble=0A> > @1 nat on rl0 inet from 192.168.1.0/24 to=
any -> (rl0) round-robin=0A> > @2 nat on rl0 inet from 10.8.0.0/24 to any =
-> (rl0) round-robin=0A> > @3 rdr on rl0 inet proto tcp from any to 216.70.=
250.4 port =3D http=0A> ->=0A> =0A 192.168.1.4 port 80=0A> > table persist=
=0A> > table persist=0A> > table persist=0A> file=0A> =0A "/usr/local/etc=
/spamd/spamd-mywhite"=0A> > @4 rdr inet proto tcp from to 216.70.250.4 por=
t=0A> =3D=0A> =0A smtp -> 127.0.0.1 port 25=0A> > @5 rdr inet proto tcp fro=
m to 216.70.250.4 port=0A> =3D=0A> =0A smtp -> 127.0.0.1 port 25=0A> > @6 =
rdr pass inet proto tcp from to 216.70.250.4 port =3D=0A> smtp=0A> =0A -> =
127.0.0.1 port 8025=0A> > @7 rdr pass inet proto tcp from ! to=0A> 216.70.=
250.4=0A> =0A port =3D smtp -> 127.0.0.1 port 8025=0A> > @8 pass in log ine=
t proto tcp from any to 216.70.250.4 port =3D=0A> smtp=0A> =0A flags S/SA s=
ynproxy state=0A> > @9 pass out log inet proto tcp from 216.70.250.4 to any=
port =3D=0A> smtp=0A> =0A flags S/SA synproxy state=0A> > @10 pass in log =
inet proto tcp from 192.168.1.0/24 to=0A> 192.168.1.25=0A> =0A port =3D smt=
p flags S/SA synproxy state=0A> > @11 block drop in log all=0A> > @12 pass =
in log quick on xl0 inet proto tcp from any to=0A> 192.168.1.25=0A> =0A por=
t =3D ssh flags S/SA synproxy state=0A> > @13 block drop in log quick on rl=
0 inet from 127.0.0.0/8 to any=0A> > @14 block drop in log quick on rl0 ine=
t from 192.168.0.0/16 to any=0A> > @15 block drop in log quick on rl0 inet =
from 172.16.0.0/12 to any=0A> > @16 block drop in log quick on rl0 inet fro=
m 10.0.0.0/8 to any=0A> > @17 block drop out log quick on rl0 inet from any=
to 127.0.0.0/8=0A> > @18 block drop out log quick on rl0 inet from any to =
192.168.0.0/16=0A> > @19 block drop out log quick on rl0 inet from any to 1=
72.16.0.0/12=0A> > @20 block drop out log quick on rl0 inet from any to 10.=
0.0.0/8=0A> > @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24=
to any=0A> > @22 block drop in log quick inet from 192.168.1.25 to any=0A>=
> @23 pass in on xl0 inet from 192.168.1.0/24 to any=0A> > @24 pass out lo=
g on xl0 inet from any to 192.168.1.0/24=0A> > @25 pass out log quick on xl=
0 inet from any to 10.8.0.0/24=0A> > @26 pass out on rl0 proto tcp all flag=
s S/SA modulate state=0A> > @27 pass out on rl0 proto udp all keep state=0A=
> > @28 pass out on rl0 proto icmp all keep state=0A> > @29 pass in on rl0 =
inet proto tcp from any to 192.168.1.4 port =3D=0A> http=0A> =0A flags S/SA=
synproxy state=0A> > @30 pass in on xl0 inet proto tcp from any to 192.168=
.1.25 port =3D=0A> ssh=0A> =0A keep state=0A> > warning: macro 'icmp_types'=
not used=0A> > mailfilter-root@/usr/ports# =0A> > =0A> > What's the quicke=
st way to recover from this? Any=0A> other=0A> =0A troubleshooting techniqu=
es?=0A> > =0A> > ~Doug=0A> > =0A> =0A> with rule @11 (log) you can do a=0A>=
tcpdump -net -i pflog0 and look at the block rule number.=0A=0AThis is wha=
t I am seeing:=0A303784 rule 3/0(match): block in on rl0: 66.218.67.246.308=
33 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 <mss 1460,nop,wscale =
1,[|tcp]>=0A1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 >=
127.0.0.1.25: S 3256136674:3256136674(0) win 57344 <mss 1460>=0A157399 rul=
e 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 40159=
67731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>=0A1. 139142 =
rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 423=
7450357:4237450357(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A199803 rul=
e 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 239020=
5679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A039859 rule 3=
/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 180204626=
7:1802046267(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A101924 rule 3/0(=
match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S 1996496288:1=
996496288(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A295669 rule 3/0(mat=
ch): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:86304=
9525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A192006 rule 3/0(match): =
block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S 1648209710:164820971=
0(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>=0A639961 rule 3/0(match): b=
lock in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S 490829265:490829265(=
0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>=0A391948 rule 3/0(match): blo=
ck in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(=
0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>=0A042299 rule 3/0(match): blo=
ck in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) =
win 57344 <mss 1460>=0A025190 rule 3/0(match): block in on rl0: 209.11.60.2=
1.14104 > 127.0.0.1.25: S 598584256:598584256(0) win 16384 <mss 1380>=0A1. =
310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25=
: S 4237450357:4237450357(0) win 65535 <mss 1460,sackOK,eol>=0A214949 rule =
3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 23902056=
79:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A038980 rule 3/0=
(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:=
1802046267(0) w=0A=0AWhich of the rules above does rule 3/0(match) refer to=
?=0A=0AAlso,=0Amailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/p=
flog port 8025=0Areading from file /var/log/pflog, link-type PFLOG (OpenBSD=
pflog file)=0Amailfilter-root@/usr/ports# =0A=0ANo forwarding to port 8025=
is occurring at this point, or so it seems.=0A=0A> =0A> also do a sockstat=
-4 -p 25 and look if your mailserver listen=0A> at 127.0.0.1:25 otherwise =
rule @4 and @5 have no effect=0A =0A=0Amailfilter-root@/usr/ports# sockstat=
-4 -p 25=0AUSER COMMAND PID FD PROTO LOCAL ADDRESS FOREI=
GN ADDRESS =0Aroot master 841 11 tcp4 *:25 =
*:*=0A=0AI should mention that this is a relay for our internal Exchange =
server. I'm going to test if Postfix is relaying correctly. From all indica=
tions it does seem to relay correctly but I need to make sure it does!=0A=
=0A~Doug=0A=0A=0A__________________________________________________=0ADo Yo=
u Yahoo!?=0ATired of spam? Yahoo! Mail has the best spam protection around=
=0Ahttp://mail.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?101025.43337.qm>